Fraudsters Use Padlocks, Too: More on Certificate Use and Abuse

A couple of months I wrote here about HTTPS and website security from a user standpoint. I need to add to that because bad guys can also use the digital certificates that make browsers show green padlocks or avoid notices about unencrypted sites.

The issue here is that the certificate that lets a site use https: doesn’t verify that the site itself is legit; it just means that the communication with that site is encrypted. As such, while it is an important protection for the user, it is nowhere near enough to ensure that the site is not a scammer, fraudster, or another type of bad actor.

Longtime readers of this blog will likely expect me to enjoin users to constantly beware, perform due diligence, etc. I’m not going to that this time because I’ll be teaching another of Learning Tree’s Security Awareness courses soon, and because I’ve talked about these things before.

Instead, I want to stress the importance of Extended Validation (EV) certificates. In my earlier post I wrote:

This type of certificate requires extensive validation and provides the most trust. The issuer of the certificate does significantly more rigorous checks of the applicants for these certificates. … Different browsers convey the information that the site is using an EV certificate in different ways. Most involve showing the name of the owner of the site in green.

There are two important things that make these certificates especially valuable in determining the safety of a website:

I already mentioned in the last post (quoted above) the rigorous checks of the certificate applicants. That makes it very unlikely that a scammer would be approved. These certificates are also correspondingly expensive, so a fly-by-night scammer is unlikely to apply.

Digital certificates (EV and non-EV) need a method to let users know when they become invalid. That could come from the certificate being compromised, from the issuer realizing that it was incorrectly issued, and for other reasons. The primary way to do this is through something called the Online Certificate Status Protocol (OCSP). With it, a browser can ask the issuer, “is this certificate still good?” Unfortunately, this can take a significant amount of time and may therefore be disabled.

A critical feature of EV certificates is that the onus for verifying certificate status is moved from the browser to the server through something called “OCSP must-staple”. OCSP stapling means the server checks the status of its own certificate regularly and includes that information as an extension to the certificate when it is sent to the user.

Unfortunately, this can be complicated: servers may not properly check the OCSP information, browsers may not check for the stapling information, and users may not notice or care that a site name is not green. The idea is good, but the implementations often fall short.

The use of EV certificates can and should significantly increase user confidence in a site’s ownership and security. Sadly, the web has a long way to go to help less-aware users not just feel secure, but be secure.